home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
stx_crackme4.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
6KB
|
134 lines
Hiya!
First I want to thank all those good guys who are writing Crackme's and tests so that we can
learn and improve our knowledge. Greetings this time especially to tC who coded the target
we're dealing with now and to Eternal Bliss for doing a great work with his CrackMe(s)-site.
This time tC just asks us to enter a valid unlock-code that is splitted into six parts. If we're
dealing with this kind of protection scheme it's most likely that our entered password is
compared with a hardcoded serial. So let's check what we have here...
Again we will use Numega's powerful SoftICE. Start Stx_cm and type in any code you want.
'Ctrl-D' to go to SoftICE and set a breakpoint on hmemcpy ('bpx hmemcpy'). F5 to go back to the
Crackme and press the OK-button.
SoftICE pops up; disable the breakpoint ('bd0') and press F11 ('go to') once and then F12
('Return from the procedure call') until we reach the Stx_cm-code (watch the line between
the Code window and the Command window). You can go on by pressing F10 ('step over') or -
faster - by using some more F12's to pass some obvious ret's until...
...we finally arrive here:
:0043D9DE E89D2EFEFF call 00420880
:0043D9E3 8B45F4 mov eax, dword ptr [ebp-0C]
:0043D9E6 8D55FC lea edx, dword ptr [ebp-04]
---
---
So if we trace the code we'll find part one here:
:0043DA38 E8DF5FFCFF call 00403A1C
:0043DA3D 83C040 add eax, 00000040
:0043DA40 3BF0 cmp esi, eax
:0043DA42 740A je 0043DA4E
Add 40h to eax to get the real code and compare it then with the fake code (esi). Both are hex
values so to get the decimal values just type '? eax' and '? esi'. If we have entered a wrong
code - what we accidently could have done - we don't jump but soon afterwards we go the bad way
to the unregistered status ('jmp 0043DB10').
:0043DA57 E8242EFEFF call 00420880
:0043DA5C 8B45F4 mov eax, dword ptr [ebp-0C]
:0043DA5F BA44DB4300 mov edx, 0043DB44
:0043DA64 E8C360FCFF call 00403B2C
:0043DA69 740A je 0043DA75
This is part two. Our fake code is copied to eax and the real code is copied from 0043DB44 to edx.
You can check this by typing 'd eax' and 'd edx' in SoftICE. If the codes are equal then jump and
go on with the calculation routine; if not we will reach our bad jump soon ('jmp 0043DB10').
:0043DA75 897DF0 mov dword ptr [ebp-10], edi
:0043DA78 DB45F0 fild dword ptr [ebp-10]
:0043DA7B D8354CDB4300 fdiv dword ptr [0043DB4C]
:0043DA81 D81D50DB4300 fcomp dword ptr [0043DB50]
:0043DA87 DFE0 fstsw ax
:0043DA89 9E sahf
:0043DA8A 7407 je 0043DA93
Ahh part three is probably not so easy to understand and to explain this could be a little chapter
by itself. So here are just some short descriptions of this FPU mnemonics:
fild - load integer; fdiv - divide; fcomp - compare real; fstsw - store status word;
The results of this calculation: after passing 0043DA75 look at your register window and you will
see something like 'SS:0067F3E4=000000XX' where SS is the Stack Segment and XX is the hex value of
the code you entered ('? XX').
After passing the fdiv instruction another look at the register window shows us
'DS:0043DB50=42F60000' where DS is the Data Segment and F6 is our real code as a hex value.
The sahf instruction is used to copy the floating point status register flags into the 80x86's
flag register. What does this mean for us here? If we entered a wrong code the Zero flag is not
set and we don't jump at location 0043DA8A which is bad because we'll see our old friend
'jmp 0043DB10' then. So the Zero flag must be set to go on with the code calculation.
:0043DA9E E8ED9AFCFF call 00407590
:0043DAA3 8B45EC mov eax, dword ptr [ebp-14]
:0043DAA6 BA5CDB4300 mov edx, 0043DB5C
:0043DAAB E87C60FCFF call 00403B2C
:0043DAB0 7407 je 0043DAB9
Part four: Our fake code is copied to eax and the real code is copied to edx; both as hex values.
At location 0043DAAB we find the 'comparison call' for these two values. Equal? Yes then jump and
go on. Remember that you have to enter the decimal value as your unlock-code.
:0043DAC2 E8B92DFEFF call 00420880
:0043DAC7 8B45F4 mov eax, dword ptr [ebp-0C]
:0043DACA BA68DB4300 mov edx, 0043DB68
:0043DACF E85860FCFF call 00403B2C
:0043DAD4 7407 je 0043DADD
Part five works the same way as part two. Our fake code is copied to eax and the real code is
copied from 0043DB68 to edx. You can check this by typing 'd eax' and 'd edx' in SoftICE. If the
codes are equal then jump and go on with the calculation routine; if not we will reach our bad
jump soon ('jmp 0043DB10').
:0043DAE6 E8952DFEFF call 00420880
:0043DAEB 8B45F4 mov eax, dword ptr [ebp-0C]
:0043DAEE BA78DB4300 mov edx, 0043DB78
:0043DAF3 E83460FCFF call 00403B2C
:0043DAF8 7407 je 0043DB01
:0043DAFA E885FEFFFF call 0043D984
:0043DAFF EB0F jmp 0043DB10
Again! Fake code to eax, real code to edx. Jump if good or go to the bad jump if you entered a
wrong code. This was the final comparison and if you typed in all six parts correctly you will
finally reach the 'registered status'.
If you look back to our entry point at location 0043D9E3 trace the code and watch the registers;
you will see then that some of the real codes are getting 'prepared' for the following comparisons
there.
I haven't shown the real code here by numbers and chars because I think you can easily find it out
by yourself now.
Done!
Greetings to all those helpful guys at the forums.
Good luck!
cheers tnwo_